WannaCry Ransomware Factsheet

What Is Wanacry/Wanacryptor?

WannaCry refers to ransomware that uses worm technology to infiltrate multiple computers across a network. It aims to exploit vulnerabilities in the Windows SMBv1 server to quickly and remotely compromise systems, encrypt files, and spread to other hosts. Systems that are fully updated and have installed the MS17-010 patch are not vulnerable to the WannaCry ransomware. Patches that address vulnerabilities identified in the Microsoft Security Bulletin MS17-010https://technet.microsoft.com/en-us/library/security/ms17-010.aspx are available for all versions of Windows from XP onward.

What Do I Do If My Computer Is Infected?

Isolate the computer’s network to prevent the malware from easily compromising additional devices.

Note: It is considered highly risky to continue to use the system since WannaCry will keep encrypting files and attempt to spread across the network.

Do not connect to or power on unpatched systems in compromised networks.

2Secure team does not advise negotiating or paying a ransom to criminal actors. Be aware that paying the ransom does not guarantee decryption or removal of the malware from your computer. CERT Australia and other open source reporting agencies have found that even after the ransom is paid in full, a backdoor still remains.

Restore from backups. Encrypted files cannot currently be decrypted without he corresponding private key.

Note: If backups are not available, still consider storing the encrypted data before wiping the computer in in case a decryption method is found in the future.

A Cyber incident can be reported to 2Secure team 24/7 at cyber@2secure.biz or 646-755-3933.

What If My System Is Not Eligible For The Current Patch?

There are several workarounds that can help protect systems from infection, including the following:

Most modern devices will operate correctly without SMBv1 but some older devices may experience communication or file/device access disruptions.

Block port 445 (Samba).

Note: This may cause disruptions in systems that require port 445.

Review network traffic to confirm that there is no unexpected SMBv1 network traffic. The following links provide information and tools for detecting SMBv1 network traffic relating to Microsoft’s MS17-010 patch: